The IRS has been caught on the back foot again by fraudsters — this week announcing the temporary shutdown of its online Identity Protection PIN tool for taxpayers.
The service has been suspended after reports that taxpayers who had been victims of tax-related identity fraud in prior years found their personal identification numbers had been compromised.
“Through the end of February, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN,” the agency said in a statement.
The statement says 2.7 million taxpayers were issued an Identity Protection PIN by mail because they might have been the victims of ID theft in prior years. No taxpayer who had been issued a PIN could file a tax return without one — an additional layer of security against fraudsters filing fake returns. Of those 2.7 million, approximately 130,000 people, or one in 20, attempted to retrieve their number online — a service offered for those who lost or forgotten their PIN.
A report posted by security journalist Brian Krebs found that people who had been previously victimized were having their PINs stolen via the IRS website, probably due to the use of knowledge-based authentication, or KBA, questions for taxpayers to prove their identity and obtain the number.
The news is another blow to the agency, and to its use of KBA to identify taxpayers online.
Knowledge-based authentication was at the heart of a breach last year, which saw fraudulent returns filed via the agency’s “Get Transcript” application. Last week, the IRS again revised the amount of people affected by that breach, saying more than 700,000 Social Security numbers and other sensitive information may have been stolen.
This year’s tax filing season has also brought another round of large-caliber data breaches. Over the past 48 hours, reports have surfaced that Cupertino, California-based data security company Seagate Technology and New York-based publisher Mansueto Ventures had their employees’ W-2 data stolen by criminals.
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.